About the security content of OS X Yosemite v10.10.2 and Security Update 2015-001

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems.

CVE-ID

CVE-2014-4497

Bluetooth

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation.

CVE-ID

CVE-2014-8836 : Ian Beer of Google Project Zero

Bluetooth

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation.

Impact: A malicious Thunderbolt device may be able to affect firmware flashing

Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.

CVE-ID

CVE-2014-4498 : Trammell Hudson of Two Sigma Investments

CommerceKit Framework

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: An attacker with access to a system may be able to recover Apple ID credentials

Description: An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials.

CVE-ID

CVE-2014-4499 : Sten Petersen

CoreGraphics

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: Some third-party applications with non-secure text entry and mouse events may log those events

Description: Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite.

CVE-ID

CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard

CoreGraphics

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems.

Description: Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks.

Impact: Executing a malicious application may result in arbitrary code execution within the kernel

Description: A bounds checking issue existed in a user client vended by the IOHIDFamily driver which allowed a malicious application to overwrite arbitrary portions of the kernel address space. The issue is addressed by removing the vulnerable user client method.

CVE-ID

CVE-2014-8822 : Vitaliy Toropov working with HP's Zero Day Initiative

IOKit

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments.

CVE-ID

CVE-2014-4389 : Ian Beer of Google Project Zero

IOUSBFamily

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: A privileged application may be able to read arbitrary data from kernel memory

Description: A memory access issue existed in the handling of IOUSB controller user client functions. This issue was addressed through improved argument validation.

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: Specifying a custom cache mode allowed writing to kernel read-only shared memory segments. This issue was addressed by not granting write permissions as a side-effect of some custom cache modes.

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata.

CVE-ID

CVE-2014-8824 : @PanguTeam

Kernel

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: A local attacker can spoof directory service responses to the kernel, elevate privileges, or gain kernel execution

Description: Issues existed in identitysvc validation of the directory service resolving process, flag handling, and error handling. This issue was addressed through improved validation.

CVE-ID

CVE-2014-8825 : Alex Radocea of CrowdStrike

Kernel

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: A local user may be able to determine kernel memory layout

Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization.

CVE-ID

CVE-2014-4371 : Fermin J. Serna of the Google Security Team

CVE-2014-4419 : Fermin J. Serna of the Google Security Team

CVE-2014-4420 : Fermin J. Serna of the Google Security Team

CVE-2014-4421 : Fermin J. Serna of the Google Security Team

Kernel

Available for: OS X Mavericks v10.9.5

Impact: A person with a privileged network position may cause a denial of service

Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking.

Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel

Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them.

Description: An issue existed in the handling of application launches which allowed certain malicious JAR files to bypass Gatekeeper checks. This issue was addressed through improved handling of file type metadata.

Description: Multiple type confusion issues existed in networkd's handling of interprocess communication. By sending networkd a maliciously formatted message, it may have been possible to execute arbitrary code as the networkd process. The issue is addressed through additional type checking.

Impact: Multiple vulnerabilities in OpenSSL 0.9.8za, including one that may allow an attacker to downgrade connections to use weaker cipher-suites in applications using the library

Description: Multiple vulnerabilities existed in OpenSSL 0.9.8za. These issues were addressed by updating OpenSSL to version 0.9.8zc.

CVE-ID

CVE-2014-3566

CVE-2014-3567

CVE-2014-3568

Sandbox

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a “com.apple.sandbox” segment. This issue does not affect OS X Yosemite v10.10 or later.

CVE-ID

CVE-2014-8828 : Apple

SceneKit

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: A malicious application could execute arbitrary code leading to compromise of user information

Description: Multiple out of bounds write issues existed in SceneKit. These issues were addressed through improved bounds checking.

Impact: Viewing a maliciously crafted Collada file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow existed in SceneKit’s handling of Collada files. Viewing a maliciously crafted Collada file may have led to an unexpected application termination or arbitrary code execution. This issue was addressed through improved validation of accessor elements.

Description: An access control issue existed in the Keychain. Applications signed with self-signed or Developer ID certificates could access keychain items whose access control lists were based on keychain groups. This issue was addressed by validating the signing identity when granting access to keychain groups.

CVE-ID

CVE-2014-8831 : Apple

Spotlight

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: The sender of an email could determine the IP address of the recipient

Description: Spotlight did not check the status of Mail’s "Load remote content in messages" setting. This issue was addressed by improving configuration checking.

CVE-ID

CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of LastFriday.no

Description: An issue existed in Spotlight where memory contents may have been written to external hard drives when indexing. This issue was addressed with better memory management.

CVE-ID

CVE-2014-8832 : F-Secure

SpotlightIndex

Available for: OS X Yosemite v10.10 and v10.10.1

Impact: Spotlight may display results for files not belonging to the user

Description: A deserialization issue existed in Spotlight's handling of permission caches. A user performing a Spotlight query may have been shown search results referencing files for which they don't have sufficient privileges to read. This issue was addressed with improved bounds checking.

Description: OS X Yosemite v10.10 addressed an issue in the handling of password-protected PDF files created from the Print dialog where passwords may have been included in printing preference files. This update removes such extraneous information that may have been present in printing preference files.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.